Bypass Sandbox by logging off Win10 with COMODO build 8012

[Redstraw]

Windows 10 21H2 X64
COMODO Firewall v12.2.2.8012

Case 1: With default Sandbox enabled (Fully Virtualized), the sample makes the OS log off, means bypassed the Sandbox.
Case 2: Adding rule to Sandbox the sample in the containment setting and change the restriction level to Partially Limited, the result is same as the above case 1, means bypassed the Sandbox.
Case 3: Adding rule to Sandbox the sample in the containment setting and change the restriction level to Limited or above, the sample can be blocked successfully.

In summary:
The default setting (Fully Virtualized) which can either be triggered automatically or by the right click context menu "running in the sandbox" can not block the operations of this sample leading to the bypass. Besides, the Partially Limited restriction also can not block the operations.

Here is the recorded video:
https://vimeo.com/692917748

PM for the sample if anyone who want to test.

[futuretech]

Yes, Internet config does not prevent shutdown/restart/logoff as it does not contain a specific token privilege added to the protected COM interfaces list, also being able to shutdown/restart/log off is not considered a security issue. This is one of the reasons to get the most protection is to use the proactive config and make tweaks from that baseline configuration. The token privilege is the Shutdown privilege which can be added to the protected COM interfaces using the string LocalSecurityAuthority.Shutdown

Edit: log off is not prevented even with proactive but again not really a security issue.

[Redstraw]

Yes, Internet config does not prevent shutdown/restart/logoff as it does not contain a specific token privilege added to the protected COM interfaces list, also being able to shutdown/restart/log off is not considered a security issue. This is one of the reasons to get the most protection is to use the proactive config and make tweaks from that baseline configuration. The token privilege is the Shutdown privilege which can be added to the protected COM interfaces using the string LocalSecurityAuthority.Shutdown

Edit: log off is not prevented even with proactive but again not really a security issue.

I am really confused that why the OS is logged off or shut down by a malware is not considered as a security issue.

[CISfan]

I think that such malware has no benefit from only shutting down or logging off a system as long as it does not cause any permanent changes or damage to the system.
Normally malware likes to harvest personal data or to collect you money.

[Redstraw]

I think that such malware has no benefit from only shutting down or logging off a system as long as it does not cause any permanent changes or damage to the system.
Normally malware likes to harvest personal data or to collect you money.

But what will happen if the users are working on writing paper, preparing presentation or processing data when the malware shuts down the OS. This may terribly cause data loss or data damage.

[C.O.M.O.D.O RT]

But what will happen if the users are working on writing paper, preparing presentation or processing data when the malware shuts down the OS. This may terribly cause data loss or data damage.

Hi Redstraw,

We are checking on this.

Thanks
C.O.M.O.D.O RT

[CISfan]

But what will happen if the users are working on writing paper, preparing presentation or processing data when the malware shuts down the OS. This may terribly cause data loss or data damage.

Nowadays almost every application has some kind of auto-save function build-in to prevent severe data loss in case the application crashes due to application software failures or maybe due to malware shutting down or logging off a system, you would lose only a few minutes of your work or so (depending on the auto-save function timer setting).
I wouldn't have sleepless nights regarding this.

[Redstraw]

Nowadays almost every application has some kind of auto-save function build-in to prevent severe data loss in case the application crashes due to application software failures or maybe due to malware shutting down or logging off a system, you would lose only a few minutes of your work or so (depending on the auto-save function timer setting).
I wouldn't have sleepless nights regarding this.

I don't entirely rely on that automatic saving function.
Last year when I was editing my bibliography with EndNote, which contained 4k+ entries, a sudden shutting down of the OS totally damaged the bibliography database, which I had collected for assisting my study for many years. I think you will be sleepless if you have also suffered such accident.

[CISfan]

I don't entirely rely on that automatic saving function.
Last year when I was editing my bibliography with EndNote, which contained 4k+ entries, a sudden shutting down of the OS totally damaged the bibliography database, which I had collected for assisting my study for many years. I think you will be sleepless if you have also suffered such accident.

Sure I would be sleepless too after such drama. But on the other hand when I work on something on my PC I always do save the work manually at regular time intervals just to prevent that due to unexpected OS or application crashes I would loose too much work.
Pressing "Ctrl+S" regularly to save the work doesn't take much effort for me.

[Redstraw]

Sure I would be sleepless too after such drama. But on the other hand when I work on something on my PC I always do save the work manually at regular time intervals just to prevent that due to unexpected OS or application crashes I would loose too much work.
Pressing "Ctrl+S" regularly to save the work doesn't take much effort for me.

First, the damage of my bibliography database had nothing to do with whether it was regularly saved or not. It was damaged/corrupted instead of simple incremental data loss due to sudden shut down of the OS.

Second, as a veteran of doing office work and an experienced user I don't need anyone to teach me how to save a file either by automatically or manually.

Finally and most importantly, please concentrate on the subject of this thread.

[cruelsister]

Hi Guys! I was kindly given the file in discussion by RedStraw (thanks again!). Although I ran it on the same system (x64 with CF build 8012) I was unable to note any changes with the Sandbox set at any level.

Although the malware was coded to do a number of things (like screwing with 360 and Minecraft), it did contain scripts that will shutdown the system (like shutdown -s -t 15). Regarding this one, note that by running the script directly from cmd, or converting it to a batch file will indeed shut the system down- understandably so as this is a legitimate windows command and will not be detected by ANYTHING) God forbid it it was- we would be left with hard shutdowns and resets).

However if we were to save that script as a batch file and run that in the sandbox nothing will happen at all. Further, if we were to screw with the batch file and convert it to an executable it would then be detected as unknown and fully contained.

Another command coded within the file was a string (del -f -d -q) to delete any 360 directories and files found on the system, which will also be stopped by containment but not if run directly.The malware did a few other bot interesting things but all containment is more than capable of suppressing.

So, in short, your bibliography will be safe unless you delete it yourself.

[Redstraw]

Hi Guys! I was kindly given the file in discussion by RedStraw (thanks again!). Although I ran it on the same system (x64 with CF build 8012) I was unable to note any changes with the Sandbox set at any level.

Although the malware was coded to do a number of things (like screwing with 360 and Minecraft), it did contain scripts that will shutdown the system (like shutdown -s -t 15). Regarding this one, note that by running the script directly from cmd, or converting it to a batch file will indeed shut the system down- understandably so as this is a legitimate windows command and will not be detected by ANYTHING) God forbid it it was- we would be left with hard shutdowns and resets).

However if we were to save that script as a batch file and run that in the sandbox nothing will happen at all. Further, if we were to screw with the batch file and convert it to an executable it would then be detected as unknown and fully contained.

Another command coded within the file was a string (del -f -d -q) to delete any 360 directories and files found on the system, which will also be stopped by containment but not if run directly.The malware did a few other bot interesting things but all containment is more than capable of suppressing.

So, in short, your bibliography will be safe unless you delete it yourself.

Interesting, can you share your testing with a video contains the test process and the settings of CIS or CFW?

[prodex]

So, in short, your bibliography will be safe unless you delete it yourself.

That's the difference! Someone who knows how to handle cis.

We don't know, what else anyone does do anymore.

I modified cruelsister's configuration and containment and cis protected me by now in a reliable way: "Another PC is trying to remotely control your computer - we have stopped containment....and....." was the was the sharpest weapon so far against foreign influence.

By the way, cisfan is right. I would save such important work several times on several storage media . This has nothing to do with the topic, but a shutdown really wouldn't be a security issue in short regular intervals..

[cruelsister]

Interesting, can you share your testing with a video contains the test process and the settings of CIS or CFW?

I've given up making videos (nobody watched them anyway) but this one would be rather boring as both malware samples you submitted could not run. I use CF at my preferred settings which can be found everywhere. Keep in mind that you don't want to make the setup fancy with unnecessary tweaks as simple is the best. So please setup CF accordingly and re-run those samples if you find the time.

But on the topic of malware not being able to activate, an increasing number of malware including things in the news recently (like Cobalt, Vidar, Trickbot to name a few) have had coded into them a function that will inventory the victim's system and if cmdvrt64.dll (Comodo driver) is found the malware shuts down. In short if Comodo is installed-even with all components disabled- some current malware will not even run. I read many Comodo complaints on this Forum but nothing about this.

[victorlopes]

I've given up making videos (nobody watched them anyway) but this one would be rather boring as both malware samples you submitted could not run. I use CF at my preferred settings which can be found everywhere. Keep in mind that you don't want to make the setup fancy with unnecessary tweaks as simple is the best. So please setup CF accordingly and re-run those samples if you find the time.

But on the topic of malware not being able to activate, an increasing number of malware including things in the news recently (like Cobalt, Vidar, Trickbot to name a few) have had coded into them a function that will inventory the victim's system and if cmdvrt64.dll (Comodo driver) is found the malware shuts down. In short if Comodo is installed-even with all components disabled- some current malware will not even run. I read many Comodo complaints on this Forum but nothing about this.

girl, youre great and we all love your feedbacks... sorry to ask, but... why dont you enter cis team to work improving it? we all trust in you and you seem to have the skills to make cis great again.. what about that Melih? she could be a great plus on the team..